Data Exfiltration Under the Microscope – The Auditor’s New Love Interest

Talking with a lot of friends in the industry, something I’ve noticed in just this past month or so is a heavy focus on preventing data exfiltration – the movement of data outside of the protected, corporate network.  I wouldn’t have thought much of it but everyone, including myself, seems to have brought it up over just the course of a few weeks.  It seems like, with the discover-resolve-patch process pretty solidified in terms of external threats, the focus is starting to move toward internal ones.  It makes sense, too.  In fact, the only question I have to ask is…

Why wasn’t this done sooner?


TechTarget’s full definition of data exfiltration is:

Data exfiltration, also called data extrusion, is the unauthorized transfer of data from a computer.

Such a transfer may be manual and carried out by someone with physical access to a computer or it may be automated and carried out through malicious programming over a network.

What we’re focusing on isn’t the malicious outside attacker but the malicious, or even not-so-malicious, insider.  There’s an obvious benefit to stopping the malicious, but only so much can be done when someone has physical access to a PC.  Not that you shouldn’t try, of course.  What really interests me, though, is what the non-malicious can do.

So first off, let’s talk about what changes auditors are suggesting.

Disable USB drives on the GPO level.  Check, this was the most likely to already be done but I know a lot of places, mine included, hadn’t.

Disable mounting drives in Citrix.  Check.  This is an interesting one, but it definitely helps prevent malicious scripts on a local PC from having connected access to the Xenapp server itself – since remember a CItrix session is just a remote session on the server.

Disable copy+paste from a remotely connected corporate network session.  So far, at least, this doesn’t seem to imply the best practice is to disable copy+paste to remote sessions in general, but instead from say, your home PC to your office workstation.  Check.   Oof, that’s a doozy but we’ll come back to that.

Block GMail? Check?  Well, maybe not GMail only but one thing that a friend did bring up in a discussion I had is them locking down any third party email site.  Much to the chagrin of their employees.

Okay, so what does that mean for us?

Well, some things certainly will be more annoying.  That doozy of a copy and paste change, at least to me, has a big impact.  Moving files around has been my go-to when I couldn’t open something on my workstation, or when I wanted to work on something from work on my more “perfectly set up” home system.  Can’t have some customized, memory-hog IDE running on my work PC but I can copy them in and out as I test things.  Well, I used to be able to. And sometimes when my work PC was acting up and I couldn’t reach it, I could just Citrix to my user share, download a file I needed to work on (because RDP through Citrix is awful), and be on my way.  Not anymore.

But that’s okay. This was a HUGE security issue that for so long convenience has outweighed.  But won’t a malicious attacker find ways around it? Upload sites that haven’t been blocked, screenshots saved on their laptop, specially hacked USB devices?  Well, yes, but that brings me back to what I said most interested me –

The Non-Malicious Exfiltrator

Data leaks don’t just happen because someone malicious hacked the system.  We’ve all heard the story of a secretary who sends a file with plaintext social security numbers to the wrong person (which is another issue altogether, but I don’t want to digress).  Or the user who saves a file with company secrets on their personal computer to work on.  Their personal computer which doesn’t have the carefully crafted protections their workstation does and gets infected and has that data stolen.  That’s, in my opinion, the biggest cause for this focus. Having a strict control of your data is important, and once it passes outside of your corporate environment, you’ve lost track of it.

Or HIPAA.  Anyone who works in IT in the medical field probably either twitches or grins sadistically when they read that acronym.  There are so many regulations, but it all basically boils down to a great tenet of security – the principle of least privilege.  Nobody can know more than the least they absolutely have to to get their job done.  Patient data needs to have its movement tracked, ensured that it’s always protected by industry standards, and not seen by any non-privileged person.

And that brings me to the last security change I mentioned – private email.  This also likely includes sites to upload files like Google Drive, Mega, Dropbox, and the like.  What do we get out of that?  Why do we care about that, we can just use our corporate email address to send the files, can’t we?

Well, besides whatever file types aren’t allowed to be sent (though you can just ZIP them), restricting this gives us something that’s both required by HIPAA as well as just a good security ideal – an audit trail.  In fact something that all of these changes give is more scrutiny into who does what.  There’s a reason everyone has their own unique logon to vCenter (you do give everyone their own unique logon to vCenter, don’t you?). You want to track who does what.  Not simply to lay blame, but to be able to track down any changes that you need more info about.  Imagine if people could log into your vCenter using their home PC’s account.  You’d see that CoolDude69 is the one who shut down the server last night and just have to shrug.

So, the Audit Trail

Yes, the audit trail.  The thing that unique logins allow us.  The thing that vCenters, and firewalls, and file shares have.  Now we ensure that there’s no gap in that trail.  We can, at least more than we could before, ensure that when it says a file was last accessed yesterday at 9PM by rsims, it was indeed the last time he accessed it.  And that when he accessed it, the file was protected by the industry level security our environments use. And we know if he sent that file via email outside of the network and can question him on it if something happens.

Honestly, as annoying as some of the changes will be, it’s a very good thing.  These are things that could’ve been implemented back in 2007 but the issues probably paled in comparison to the attacks we were still facing back then, and the convenience of having the abilities made us push it off even more.  But this was definitely a long time coming, and I wasn’t surprised at all when I heard it was coming down the pipe.

Hopefully they let me use github for a while longer, at least…



Has your company recently implemented some of these exfiltration policies? Are they going as hard on it as the way I mentioned?  Does it change much for you, or do you rarely need to do something like that anyway?  Let me know that, and any other thoughts you have on it, in the comments!

Leave a Reply

Your email address will not be published. Required fields are marked *